HIPAA OMNIBUS RULES AND BUSINESS ASSOCIATES
As of September, 23rd of 2013, covered entities should have updated their HIPAA Compliance programs to comply with the final HIPAA Omnibus rules. The final rules became effective on March 26, 2013 but gave covered entities 180 days to comply with the rules. Covered entities that have not updated their compliance programs to comply with the final omnibus rules requirements need to do so immediately. Covered entities that have not updated their compliance to meet the new requirements run the risk of being found in willful neglect by the Department of Health and Human Services (HHS) and risk the chance of having to face a full HIPAA audit and pay high fines. According to Leon Rodriguez, director at the HHS Office of Civil Rights the final Omnibus Rules bring “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented”.
An important aspect of updating the HIPAA compliance program to meet the final Omnibus Rules requirements is to review and update business associate agreements. A business associate is an entity who has access to protected health information when providing a service to a covered entity. Business associates play roles such as: receive, store, maintain or transmit protected health information (PHI) on behalf of a covered entity. Good examples to help illustrate who are a business associates are: a medical billing companies, an information technology companies, shredding companies, copy machine companies, etc. Covered entities have until September, 23rd of 2014 in order to update their business associate agreements to comply with the final HIPAA Omnibus rule. Business associate agreements that have not been modified or renewed between March, 26, 2013 and September 23, 2013 will be considered compliant until the need to be renewed or until September 22nd, 2014.
The American Medical Association states that the kinds of individuals and entities that can be treated as business associates has expanded with the Omnibus Rules. These organizations include: patient safety organizations, health information exchanges (HIE) systems and EMR or HER companies. Medical practices need to determine who they need to enter a business associate agreement with.
Covered entities must ensure that the business associates that they work with are HIPAA compliant. As part of the final omnibus rules, business associates are liable for any violations that occur and they are responsible for any subcontractors that they work with. Business associates need to conduct a thorough risk analysis and must comply with the security and breach notification rules.
At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.
For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.
At Vitruvian MedPro, a Massachusetts based medical billing and practice management consulting company, we help medical practices improve cash flow and focus on patient care by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro